Introduction

This is the project page for the integration of SELinux policy into RPM 4. Specifically the project is focused on adding infrastructure to RPM to install and manage SELinux policies and reduce the error-prone scriptlets that have been used up to now to install policy from RPM's.

For a detailed explanation of the %policy section and the tags/options that can be used, see #%policy section.

Installing an RPM with Policy

Installing an RPM will also install its policy.

# rpm -i <rpm>

Verifying the Policy is installed

# semodule -l | grep foo
foo 1.0.0

%policy section

The %policy tag is used to define SELinux policy modules that should be included in the package. A string following the %policy tag indicates the policy should be included in a subpackage.

%policy targeted

This indicates that all policy defined in this section will be included in the targeted subpackage. Similar to %package and %files, the -n option can be given to modify the final name of the subpackage.

The %policy section can contains the following tags.

%basetype

The %basetype tag specifies that the package is a base package and why type it is a base package for. The tag can only be specified once per %policy section and cannot have the value of 'default'.

%policy targeted
%basetype targeted

This specifies that the targeted subpackage is the base package for the targeted type. Although the subpackage and basetype are the same in this example, this is not required.

%module

The %module tag specifies a SELinux module to be included in the package. The format for the %module tag is %module path/to/selinux/module, with the root of the path in the rpm build directory. A typical %policy section with multiple modules and options looks like this:

This specifies two policy modules (foo.pp and bar.pp) to be included in the package. Each module has several options which describe various characteristics of the preceding module. Each option is of the form Option: value, with each option applying to the most recent %module tag. In the following examples, the options are intended for readability only. Leading spaces are ignored when parsing the options.

Name

The Name option specifies the name of the policy module. This must match the name of the module specified inside the policy.

%policy
%module policies/foo.pp
Name: foo

If Name is not provided, the basename minus the extension will be used. However, it is recommended that you provide the option.

Types

The Types option is a space-separated list of policy types the module can be installed into. The special type 'default' can be used to specify that the module can be installed into any type. If the Types option is not specified, 'default' is assumed.

%policy
%module policies/foo.pp
Name: foo
Types: mls targeted

This specifies that the foo.pp module can be installed in both mls and targeted policy types.

Obsoletes

The Obsoletes option is a space-separated list of policy names that are obsoleted by a module. Any modules listed in Obsoletes will be removed (or ignored if installed, but in the current transaction) upon module installation. If not specified, it is assumed that the module does not obsolete anything.

%policy
%module policies/foo.pp
Name: foo
Obsoletes: bar

This will remove the baz module at the same time as installing the foo module.

Base

The Base option is a boolean value (Yes/1 or No/0) that specifies whether or not a module is a base module. If not specified, it is assumed that the module is not a base module.